With so much attention focused recently on constant consumer spying and privacy violations, erroneous or otherwise, by Amazon, Facebook and now Twitter, it is easy to forget that virtually other communication apps have the same purpose, and that's what one secretive Israeli company relied on when they used a vulnerability in the popular messaging app WhatsApp (owned by Facebook) to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. What is unique is how the app was infected: with a simple phone call.
According to the FT, WhatsApp which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive NSO Group, a notorious and controversial Israeli hacking and surveillance tools vendor, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs.
It is unclear how many apps were infected with the spyware trojan, which could for example, allow anyone to get access to John Podesta's email password (and then blame say, Vladimir Putin for example) as WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, although it is likely a substantial number. As late as Sunday, the FT reports that WhatsApp engineers were racing to close the loophole.
For those who thought that Alexa's constant eavesdropping was bad, this is even worse: NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. It effectively opens up one's entire cellphone to the hacker, and to get "infected", one just needs to receive an inbound phone call without ever answering it.
NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital
Since the application is Israeli, its hardly a surprise that the spies' preferred targets were Middle Eastern: as the FT reports, in the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said, with the government in question being that of Israel. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
WhatsApp disclosed the issue to the US Department of Justice last week, according to a person familiar with the matter. A justice department spokesman declined to comment.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty International, which identified an attempt to hack into the phone of one its researchers.
“The Israeli ministry of defense has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.